INTERPRETATION AND APPLICATION GUIDANCE - BAFIN
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
This translation is furnished for information purposes only. The
original German text is binding in all respects.
Interpretation
and
Application
Guidance
in relation to the German
Money Laundering Act
(Geldwäschegesetz – GwG)
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG as of: December 2018Table of contents I. Addressees 3 IV. Other obligations 67 Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 2 of 84
I. Addressees 1. Addressees of the anti-money laundering obligations under the supervision of BaFin 1.1 Credit institutions Credit institutions are institutions as defined in section 1 (1) of the German Banking Act (Kreditwesengesetz – KWG), with the exception of the undertakings specified in section 2 (1) nos. 3 to 8 of the KWG, and German branches (Zweigstellen) and branch offices (Zweigniederlassungen) of credit institutions seated abroad (section 2 (1) no. 1 of the GwG). Under section 1 (1) sentence 1 of the German Bausparkassen Act (Gesetz über Bausparkassen – BauSparkG), these include Bausparkassen whose business operations entail receiving deposits from Bauspar customers (Bauspar deposits) and, out of the collected amounts, providing Bauspar customers with money loans (Bauspar loans) for housing finance activities (Bauspar business). 1.2 Financial services institutions Financial services institutions are institutions as defined in section 1 (1) (a) of the KWG, with the exception of the undertakings specified in section 2 (6), sentence 1 nos. 3 to 10 and 12 and (10) of the KWG and German branches and branch offices of financial services institutions seated abroad (section 2 (1) no. 2 of the GwG). 1.3 Payment institutions and electronic money institutions Payment institutions and electronic money institutions are institutions as defined in section 1 (2) (a) (NB: now section 1 (1) sentence 2) of the German Payment Services monitoring Act (Zahlungsdiensteaufsichtsgesetz – ZAG) and German branches and branch offices of comparable institutions seated abroad (section 2 (1) no. 3 of the GwG). These include providers of payment initiation services as well as account information services (section 1 (1) sentence 2 nos. 7 and 8 of the ZAG). Payment initiation services are services where, at the instruction of the payment service user, a payment order is triggered in relation to a payment account held by another payment service provider (section 1 (33) of the ZAG). Account information services are online services for notification of consolidated information concerning one or more payment accounts which the payment service user holds with one or more payment service providers (section 1 (34) of the ZAG). NB: the obliged entities which provide the above-mentioned services must at least comply with the obligation to submit suspicious transaction reports in this respect (section 43 (1) of the GwG). Such matters must be reported, irrespective of the value of the wealth in question or the amount of the transaction involved, to the German Financial Intelligence Unit (Zentralstelle für Finanztransaktionsuntersuchungen – FIU) without delay. Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 3 of 84
In addition, payment initiation service providers are subject to the general due diligence obligations in relation
to payment recipients, insofar as they maintain business relationships with them.
1.4 Agents and e-money agents
Agents and e-money agents are natural or legal persons as defined in section 1 (7) (NB: now section 1 (9)) of
the ZAG or section 1 (a) (6) (NB: now section 1 (10)) of the ZAG (section 2 (1) no. 4 of the GwG).
1.5 Independent businesspersons within the meaning of the GwG
Independent businesspersons are natural or legal persons who distribute or re-exchange the electronic money
of a credit institution as defined in section 1 (a) (1) no. 1 (NB: now section 1 (2) sentence 1 no. 2) of the ZAG
(section 2 (1) no. 5 of the GwG). The amendments to section 2 (1) no. 5 (no. 2 (c) in the old version) of the
GwG are merely editorial in nature and have not had any impact on the group of obliged entities indicated
therein.
1.6 Insurance undertakings
The following preconditions must be fulfilled in order to qualify as an insurance undertaking which is an
obliged entity under the GwG as well as the anti-money laundering provisions of the German Insurance
Supervision Act (Versicherungsaufsichtsgesetz – VAG):
1. The insurance undertaking in question must be an insurance undertaking as defined in
Article 13(1) of Directive 2009/138/EC of the European Parliament and of the Council of
25 November 2009 on the taking-up and pursuit of the business of Insurance and Reinsurance
(hereinafter: “Solvency II Directive”) or a domestic branch of such undertakings seated abroad.
This includes all direct life insurance and non-life insurance undertakings (including branches)
which have received a licence pursuant to Article 14 of the Solvency II Directive from a
supervisory authority in Germany.
2. This undertaking/branch must:
offer life insurance activities which under Article 2(3) of the Solvency II Directive fall under
the above-mentioned Directive (cf. section 2 (1) no. 7 (a) of the GwG, section 52 of the
VAG),
This includes
1. the following life insurance activities where they are provided on the basis of a contract:
a. life insurance which covers endowment insurance, whole life insurance,
combined endowment and whole life insurance, life insurance with a return of
premium as well as marriage and birth insurance;
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 4 of 84this includes “traditional” life insurance, in particular providing endowment and
whole life cover (including term life insurance);
b. pension insurance;
this includes “Riester” and basic annuity contracts (Basis-Rentenverträge);
c. additional insurance policies taken out in addition to life insurance, i.e. in
particular insurance covering bodily injury including occupational disability,
insurance against death due to accident, insurance against disability due to
accident or illness;
This includes the additional insurance policies offered by life insurance firms
together with life insurance, generally disability insurance. This includes
additional occupational disability insurance, work incapacity insurance, basic
capability insurance, care pension risk insurance or dread disease insurance as
well as additional accident insurance.
In all of these types of insurance, the insured event is tied to a physical and
objectively determinable impairment due to an illness or accident.
2. the following transactions requiring supervision such as
a. capital redemption operations,
b. operations for the management of pension funds (management of the
investments and assets for the pension fund; but not the pension fund’s
granting of pension commitments),
c. the operations designated or stipulated in social insurance law which depend
on the length of life, insofar as they are operated or managed by life insurance
undertakings at their own risk in accordance with the legal provisions of a
Member State (e.g. insolvency hedging for time-value accounts).
On the other hand, due to Article 9 of the Solvency II Directive this does not apply for the
following transactions and activities, so that nor are these covered by the GwG:
1. operations of provident and mutual benefit institutions whose benefits vary according
to the resources available and which require each of their members to contribute at the
appropriate flat rate and also
2. operations carried out by organisations other than the above-mention life insurance
firms whose object is to provide benefits for employed or self-employed persons
belonging to an undertaking or group of undertakings, or a trade or group of trades,
in the event of death or survival or of discontinuation of work or a reduction of earning
capacity, whether or not the commitments arising from such operations are fully
covered at all times by mathematical provisions.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 5 of 84This means that, in particular, the operations of occupational pension schemes or social
security institutions as well as institutions which only insure against death risks in relation to
the burial costs which are carried out by other institutions under Article 3(3) and (5) of the
Solvency II Directive are not covered by this directive, so that the conduct of this business is
not covered by section 2 of the GwG. This applies for pension funds (Pensionskassen) and
death benefit funds. A support fund is likewise not subject to the money laundering-related
provisions as an obliged entity, since it does not conduct any insurance business.
offer accident insurance contracts with a premium refund (section 2 (1) no. 7 (b) of the
GwG, section 52 of the VAG) or
grant loans within the meaning of section 1 (1) sentence 2 no. 2 of the KWG
(section 2 (1) no. 7 (c) of the GwG).
The grant of loans within the meaning of section 1 (1) sentence 2 no. 2 of the KWG is business
which is typically also offered by the credit institutions covered by no. 1 in this concrete manner
or similarly. This applies, in particular, for mortgage loans as well as other loans granted within
the scope of business activities. In case of a lesser risk situation in a specific instance due to
particular factors (e.g. offsetting of instalment payments against the salaries of employees or
commission paid), section 14 of the GwG provides for the option of an appropriate reduction in
customer due diligence requirements.
1.7 Asset management companies and others
In addition, obliged entities include asset management companies as defined in section 17 (1) of the German
Investment Code (Kapitalanlagegesetzbuch – KAGB), German branch offices of EU management companies
and of foreign AIF management companies, and foreign AIF management companies for which the Federal
Republic of Germany is the reference Member State and which are subject to supervision by the Federal
Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht – BaFin) pursuant to
section 57 (1) sentence 3 of the KAGB (section 2 (1) no. 9 of the GwG).
Pursuant to section 2 (1) no. 9 of the GwG, all asset management companies under section 17 (1) of the KAGB
are obliged entities under the GwG. This includes registered asset management companies.
1.8 Financial holding companies and mixed financial holding companies
Pursuant to section 25 (l) of the KWG, financial holding companies or mixed financial holding companies
which qualify as superordinate companies under section 10 (a) of the KWG or which have been designated as
such by BaFin are obliged entities under section 2 (1) no. 1 of the GwG and are thus also supervised by BaFin
under section 50 no. 1 in conjunction with section 41 (1) of the GwG.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 6 of 84II. Risk management (risk assessment and internal
safeguards)
2. Risk management and assessment – sections 4 and 5 of the GwG
2.1 General principles
Under section 4 of the GwG, the obliged entities must have an effective risk management system which
covers risk assessment under section 5 of the GwG and internal safeguards under section 6 of the GwG.
This obligation represents the core of a risk-based approach in relation to money laundering and
terrorist financing.
A risk management system will be effective where it covers the entire business activities of the obliged
entity and clearly takes into consideration the specific risks arising and where the internal safeguards
thus determined must be considered to be appropriate in relation to these risks.
Appropriateness will be evaluated – as within the scope of the creation of risk management systems –
on the basis of the obliged entity’s specific risk assessment in relation to the risk structure of the services
and products which it offers and, where applicable, on the basis of the results of the national risk
assessment.
Pursuant to section 4 (1) of the GwG, the nature and scope of the business activities of the obliged
entities are to be taken into consideration in the design of the risk management system.
2.2 Responsibility
The responsibility of a member of the management (e.g. board of management member, managing director)
under section 4 (3) of the GwG for the establishment of an orderly and appropriate risk management system
within the meaning of section 4 of the GwG must be clearly documented. Notification of BaFin is not
necessary. This responsibility is applicable irrespective of the management board’s overall responsibility.
For this purpose, the member of the management must be precisely familiar with the risks and their
assessments in connection with money laundering and terrorist financing in relation to the business activities
of the obliged entity. For this purpose, he must be provided with the necessary key information regularly –
and, where necessary, promptly – in full, comprehensibly and correctly.
The risk assessment as well as the initial establishment of/key changes to the internal safeguards require the
approval of the designated member of the management (section 4 (3) of the GwG).
2.3 Risk assessment
Principle
The contents of the previous BaFin circular 8/2005 (GW) have been incorporated within the scope of this
statutory regulation.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 7 of 84The risk assessment must be produced to an appropriate extent, thus in accordance with the nature and scope
of the business activities of the obliged entity (section 4 (1) of the GwG).
Annexes 1 and 2 of the GwG which are relevant in this regard (section 5 (1) of the GwG) include sample lists
of factors and possible indications of a potentially lower or higher level of risk. Unlike in the case of the
scenarios with a higher level of risk per se specified pursuant to section 15 (3) and (8) of the GwG and defined
by the obliged entities themselves pursuant to section 15 (2) of the GwG, the applicability of individual factors
does not mean that an increased level of risk is thus applicable per se. Instead, the key point is the overall
assessment in a specific case of all (risk-increasing and risk-reducing) factors.
Guidelines on Risk Factors
In addition, pursuant to section 2 (1) nos. 1, 2, 3, 7, 8 and 9 of the GwG the obliged entities must comply with
the Joint Guidelines of the European Supervisory Authorities (hereinafter: Guidelines on Risk Factors) of
4 January 2018 in preparing or revising a risk assessment (Art. 17 and Art. 18 of Directive (EU) 2015/849 on
the prevention of the use of the financial system for the purposes of money laundering or terrorist financing
(hereinafter: Fourth Money Laundering Directive; cf. Title I, no. 4 et seq.)). These guidelines are a core element
of the implementation of the risk-based approach.
The Guidelines on Risk Factors include examples of risk factors which the obliged undertakings are obliged to
take into consideration within the scope of the statutory provisions – where applicable – in their review and
assessment of the money laundering and terrorist financing risks associated with a transaction. In addition,
the Guidelines on Risk Factors describe how the obliged entities can adjust the scope of their customer due
diligence obligations in accordance with the risks identified by them, so as to make optimal use of the available
resources. The Guidelines on Risk Factors supplement for the obliged entities the risk factors contained in the
Annexes to the GwG.
Following an introductory section I, the Guidelines on Risk Factors comprise two parts:
a. Section II consists of general comments and factors to be taken into consideration which apply for all
undertakings subject to anti-money laundering obligations. This guidance is intended to enable the
obliged undertakings to make in-depth and risk-oriented decisions in connection with the
identification, assessment and treatment of money laundering and terrorist financing risks which may
apply within the scope of business relationships as well as other, occasional transactions.
b. On the other hand, section III comprises various area-specific subsections and helps undertakings to
apply their respective customer due diligence obligations on a risk-oriented basis.
The Guidelines on Risk Factors have a particular significance, since – in deviation from previous legislation –
the new GwG does not specify any scenarios where simplified due diligence obligations may apply. A similar
situation applies for scenarios which are subject to an increased level of risk and which are not expressly
referred to in section 15 (3) of the GwG.
Objective and implementation
The objective of the risk assessment is to fully and completely register, identify, categorise and weigh up the
specific risks in relation to money laundering and terrorist financing which arise within the scope of the
business activities of the obliged entity. On this basis, appropriate money laundering prevention measures are
to be implemented, in particular internal safeguards.
Appropriateness will be determined – as within the scope of the creation of risk management systems – on
the basis of the obliged entity’s own risk assessment in relation to the risk structure of the services which it
offers.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 8 of 84The following steps in particular are necessary as of the preparation of an internal risk assessment and the
associated determination of the necessary measures:
a complete survey of the undertaking’s specific situation,
registration and identification of customer-, product- and transaction-related risks as well as
geographical risks,
categorisation of the identified risks, i.e. classification in terms of risk groups and, where applicable,
additional weighting, i.e. assessment,
the development and realisation of appropriate internal safeguards which are used within the scope
of the necessary money laundering prevention measures due to the outcome of the risk assessment
(see chapter 3 for further details),
the review and ongoing development of the internal safeguards enacted to date, taking the outcome
of the risk assessment into consideration.
Step 1
The business structure of the obliged entity is relevant for the survey of its specific situation. Within the scope
of this survey, registration of the undertaking’s basic customer structure, its business units and processes, the
products which it offers, its channels of distribution and its organisational structure is particularly important.
Step 2
The risks can be registered and identified by means of the financial sector’s expertise in relation to the
techniques used for money laundering and financing of terrorism. The expertise which is required for this
purpose may be obtained or updated e.g. on the basis of national and international guidance and typology
documents as well as lists of criteria establishing grounds for suspicion (incl. the typology documents available
for the obliged entities in the internal section of the FIU’s website (www.fiu.bund.de) , for the areas of “money
laundering” and “terrorist financing”, or similar documents of the FATF on its website (www.fatf-gafi.org)), the
undertaking’s existing knowledge or knowledge subsequently obtained by the undertaking (such as from
media evaluations), the general analysis of suspected cases in which the undertaking has been involved in the
past, or the exchange of knowledge with anti-money laundering officers (hereinafter: AML officers) of other
obliged entities.
Step 3
The identified risks must be categorised, i.e. divided up into different risk groups and assessed in terms of
their significance. This may include a weighting of the various risks/risk groups. As a rule, the identified risks
will be assessed within the scope of the risk assessment in terms of three different risk levels (high, medium,
low). However, further differentiation/gradation by means of additional risk levels/categories and a – voluntary
– reduction to fewer levels/categories (e.g. exclusively normal (medium) and higher-level) is likewise possible.
Example of a three-level risk classification:
High => all scenarios which are also included in this classification either due to the high-risk classes
defined by the legislation (section 15 of the GwG) or on the basis of the obliged entity’s own risk
assessment, taking into consideration Annex 2 to the GwG, the Guidelines on Risk Factors or other
specific information.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 9 of 84 Medium => all scenarios which are not included in the classification “high” or “low” due to the
obliged entity’s own risk assessment.
Low => all scenarios where a low level of risk may be assumed in view of the requirements laid down
in section 14 of the GwG, Annex 1 to the GwG as well as the Guidelines on Risk Factors on the basis
of a plausible risk assessment.
Various assessment methods may be used in the assessment. An assessment system subject to various
weightings for different risk factors is possible, and so too is a fixed system where a high risk value for one
individual factor is binding for the risk assessment and cannot be compensated for by means of factors subject
to a low level of risk.
In addition, absolute criteria may be defined which automatically affect the customer classification and/or
automatically entail a specific safeguard (e.g. particular decision-making processes as of the registration of
specific new customers, e.g. PEPs or customers seated in a high-risk country).
Risk-based deviations or exceptions must be documented and justified, while taking into consideration the
above comments.
For the purpose of the assessment, the obliged entities must also include the current national risk assessment
results published in relation to money laundering and terrorist financing.
Step 4
The results of the risk identification, categorisation and weighting are to be implemented within the scope of
the individual internal safeguards. In principle, these must be determined on the basis of the results of the
risk assessment and must be consistent with these.
As with risk management in general, for the implementation of individual prevention measures in a specific
instance the greater the level of risk potential, the greater the need to proceed carefully.
Step 5
The internal safeguards enacted must be reviewed and developed while taking into consideration the
outcome of the risk assessment.
Documentation and updating obligation, section 5 (2) of the GwG
The obliged entities must clearly document their risk assessment, subject to section 5 (4) of the GwG. The
above internal risk assessment steps must therefore be included in this documentation.
The need for an update to the risk assessment must be reviewed regularly, i.e. at least once per year, and this
must be updated where necessary. The changes made within the scope of this update must be clearly
presented in a form which indicates the level of change in the risk assessment and must be documented
accordingly.
The current version of the risk assessment must be provided to BaFin at its request. The same applies for the
internal auditors (where applicable) and for the external auditors. The current risk assessment must be
presented to the competent member of the management. This must be documented in an audit-compliant
manner.
Group-wide risk assessment, section 5 (3) of the GwG
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 10 of 84Under section 5 (3) of the GwG, the obligation to produce a risk assessment also applies for parent
undertakings of a group in relation to the group as a whole (see chapter 3 for the group obligations in detail).
Possibility of exemption, section 5 (4) of the GwG
Under section 5 (4) of the GwG, subject to certain preconditions BaFin may exempt obliged entities from
documentation of the risk assessment under subsection 1 (NB: not from the implementation of this risk
assessment or from the obligation to enact appropriate internal safeguards).
This exemption will be granted at the request of the obliged entity. A charge will apply in case of the rejection
of this request and likewise for its approval. While every obliged entity is entitled to submit a request for
exemption, due to the risks generally applicable in the financial sector as a rule this exemption will only apply
in the non-financial sector.
An exemption may only be granted subject to cumulative fulfilment of the following preconditions specified
in the Act:
clear identifiability of the existing concrete risks for the obliged entity
In particular, this precondition will be fulfilled where the business operations of the obliged entity do
not include any complex business activities, the transactions which it implements are limited in scope,
its customer structure is homogeneous and no other risk-increasing circumstances are applicable.
Pursuant to section 5 (1) sentence 3 of the GwG, the extent of the risk assessment will depend on the
nature and size of the business activities of the obliged entity. The lower the level of complexity of
these business activities, the lower the requirements on the part of BaFin in relation to the preparation
(and documentation) of a risk assessment. Conversely, the larger and more complex the risks which
an obliged entity is subject to, the lower the probability of an exemption from this documentation
obligation.
In this context, the possibility of an exemption should only be considered where, even though it is
proportionate, documentation of the risk assessment is not necessary and is inappropriate for BaFin.
the obliged entity has an adequate understanding of the existing risks
This relates to the AML officer or, in case of an exemption from the obligation to appoint this person,
the competent member of the management.
An adequate understanding may be assumed where the internal safeguards enacted by the obliged
entity pursuant to section 6 of the GwG are adequate on the basis of the risk situation presented by
the obliged entity.
The obliged entity must clearly and comprehensibly document the applicability of the above-mentioned
preconditions in textual form in its request submitted to BaFin.
3. Internal safeguards, section 6 of the GWG
General clause, section 6 (1) of the GwG
As well as the risk assessment, risk management includes the implementation of appropriate internal
safeguards under section 6 of the GwG.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 11 of 84Such safeguards will be appropriate where they correspond to the risk situation of the obliged entity – from
the point of view of principles, procedures and controls – and adequately cover it. In particular, these measures
must reflect the size and the organisational structure of the obliged entity, especially its business and customer
structure (cf. Guidelines on Risk Factors). The obliged entity will determine the appropriateness of these
measures on the basis of its own analysis with regard to the existing money laundering and terrorist financing
risks for all of the products and services which it offers and on the basis of other relevant circumstances. BaFin
may review whether the obliged entity’s risk management is actually appropriate.
The obliged entity must regularly monitor to an appropriate degree the functional capacity and the
effectiveness of its internal safeguards.
Examples of safeguards, section 6 (2) of the GwG
Section 6 (2) of the GwG includes the following examples of the safeguards to be implemented under
subsection 1. Due to their non-exhaustive nature, the internal safeguards listed in technical legislation which
also apply for the respective obliged entities (e.g. section 25 (h) (2) of the KWG, section 53 of the VAG) include
the measures indicated in section 6 (1) of the GwG.
All internal safeguards must be regularly reviewed and updated as necessary (e.g. in case of a significant
change in the risk situation of the obliged entity, in case of findings regarding new money laundering or
terrorist financing techniques or in case of a change in the statutory requirements), either in whole or in part.
3.1 The development of internal principles, procedures and controls
The obligation to develop internal principles, procedures and controls applies in relation to:
dealing with risks, section 6 (2) no. 1 (a) of the GwG
customer due diligence obligations, section 6 (2) no. 1 (b) of the GwG
reporting obligations, section 6 (2) no. 1 (c) of the GwG
recording and retention, section 6 (2) no. 1 (d) of the GwG
other provisions, section 6 (2) no. 1 (e) of the GwG.
3.2 The appointment of an anti-money laundering officer and a deputy, section 7 of the
GwG
Under section 6 (2) no. 2 of the GwG, an AML officer and a deputy must be appointed. This obligation is
stipulated in further detail in section 7 of the GwG.
Pursuant to section 7 (1) of the GwG, inter alia obliged entities under section 2 (1) nos. 1 to 3, 7 and 9 of the
GwG are required to appoint an AML officer at management level (cf. section 1 (15) of the GwG) and a deputy.
These persons must be able to perform their tasks independently and effectively. The deputy will perform
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 12 of 84these activities in the absence of the AML officer or else in collaboration with the AML officer. Where necessary and where collaboration is ensured, multiple deputies may be appointed. The AML officer is an instrument of the management board. As such, he must be organisationally and technically directly subordinate to the competent member of the management (section 4 (3) of the GwG). From the point of view of this role, the AML officer and his deputy are subject to the right of the competent member of the management to issue instructions. The AML officer must report directly to this member of the management. It must also be ensured that, where applicable, the supervisory body included within the scope of the undertaking’s management (e.g. in case of a stock corporation, its supervisory board) – including the competent member of the management – can directly obtain information from the AML officer. To prevent conflicts of interest, as a rule members of the management may only be appointed to the role of AML officers or their deputies in case of obliged entities which have fewer than 15 full-time equivalent employees and which do not have any appropriate employees below management level to perform this activity. Moreover, to avoid conflicts of interest in principle the AML officer should not be simultaneously tasked with the duties of a data protection officer, unless appropriate consideration is given to his respective obligations and this situation is clearly justified and documented for audit purposes. In addition, the AML officer may not perform internal audit functions. In principle, the AML officer should not have any ties to other organisational or staff functions. This does not apply for ties to other supervisory functions at the same level, such as compliance or risk controlling, where both of these areas are managed at the same time. Where ties nonetheless exist with other organisational or staff functions, such as the legal department, this must be clearly documented for audit purposes, indicating the grounds for the ties to the other organisational unit. The commercial interest of the undertaking may not conflict with the orderly execution of the tasks of the AML officer. Section 7 (7) of the GwG clarifies that the rights of the AML officer and his deputy/deputies as employees may not be encroached upon due to conflicts of interest between fulfilment of the relevant anti- money laundering regulations, the relevant regulatory provisions and the commercial interest of the undertaking. Notification of appointment and dismissal BaFin must be notified in advance, without delay, of the appointment and dismissal of the AML officer and his deputy/deputies, indicating the relevant date and the contact details. BaFin reserves the right to require information on the qualifications of the relevant employee (e.g. overview of his career history, proof of his attendance of money laundering training events etc.) and regarding his reliability (e.g. in the form of information from the German Federal Central Criminal Register (Bundeszentralregister) and, where appropriate, from the German Central Trade and Industry Register (Gewerbezentralregister)). Possibility for BaFin to revoke an appointment The obliged entity must ensure that the appointment of the AML officer or the deputy can be revoked on the instruction of BaFin if, in the opinion of BaFin, the appointee does not fulfil the requirements with regard to his qualifications or reliability. This will generally arise where statements made by the obliged entity or other information received by BaFin indicate a lack of qualifications or reliability. Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 13 of 84
Indications as to the unreliability of an AML officer may arise, for instance, due to his work to date, either as
an AML officer or in a different capacity (such as a former manager of an obliged entity).
Requirements for the role of AML officer
Since the AML officer serves as a contact for BaFin, the prosecuting authorities and the Financial Intelligence
Unit (hereinafter: FIU), in principle he should have an adequate command of the German language so as to
be able to communicate with the competent authorities. No delays may arise in the performance of his tasks
in this respect.
Insofar as a “central institution” within the meaning of section 25 (h) (7) sentence 1 of the KWG is incorporated
within an institution within the meaning of section 2 (1) no. 1 or 2 of the GwG, the AML officer is also
responsible for all measures to prevent “other criminal offences” within the meaning of
section 25 (h) (1) sentence 1 of the KWG. These measures must be coordinated with the measures for the
prevention of money laundering and terrorist financing in terms of their contents and from an organisational
point of view.
Material/personnel resources and rights of the AML officer
The material and personnel resources of the AML officer must reflect the size, the business model and the
abstract risk situation of the relevant obliged entity as well as the resulting tasks of the AML officer, so as to
ensure adequate performance of his tasks.
Appropriate resources must be provided for the implementation of the AML officer's tasks which ensure
fulfilment of the statutory requirements (e.g. sections 6 (2) no. 6, 7 (5) sentence 3 of the GwG). Any reduction
of these resources must be justified in writing by the competent member of the management. The supervisory
body of the obliged entity must be notified of any significant reductions.
Irrespective of the overall responsibility of the competent member of the management, the AML officer is
responsible for compliance with the regulations on the prevention of money laundering and terrorist
financing.
The AML officer and his deputy/deputies must be authorised, within the scope of their performance of their
work,
to submit the necessary legally binding declarations for the undertaking and to represent it externally
in case of relevant situations and
to provide undertaking-specific instructions for all matters relating to the prevention of money
laundering and terrorist financing.
As well as the grant of the authority to act individually or jointly for the undertaking, this authorisation may
be issued by different means, e.g. through the grant of a relevant commercial power of attorney.
The AML officer and his deputy/deputies have the power to issue instructions to the employees of the
undertaking within the scope of the fulfilment of their tasks. In principle, they are subject to the instructions
of the competent member of the management.
However, this does not apply for the cases indicated in section 7 (5) sentence 6 of the GwG: the AML officer
is thus not subject to the management board’s right to give instructions in relation to envisaged reports under
section 43 of the GwG or his response to a request for information from the FIU.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 14 of 84In particular, the AML officer must be involved as early as possible in the processes for the design and review
of new products, in the development of new areas of business, financial services and customer categories, so
as to ensure their effective monitoring and assessment and in order to safeguard the advisory and support
function of the AML officer for the prevention of money laundering and terrorist financing. The same applies
for the preparation of organisational and work instructions, so as to ensure that these are suitable in order to
prevent violations of the relevant statutory provisions.
The AML officer must have a position which enables him to represent matters associated with the prevention
of money laundering and terrorist financing sufficiently vigorously, including in relation to the management
to which he reports.
The AML officer must be included in all flows of information which may be of significance for the fulfilment
of his tasks. He must be granted access to all information of relevance for his activity and must be granted an
unrestricted right to receive information, right of inspection and right of access for all premises and
documents, records, IT systems and further information which is required for the determination of relevant
matters. The AML officer may have the internal auditors and external auditors provide him with relevant audit
reports.
Insofar as the AML officer avails himself of the services of further persons outside of his field for the
performance of his tasks, these persons must keep him regularly informed of the implementation of their
activities and their results. The AML officer is entitled to issue them with instructions within the scope of the
fulfilment of their tasks.
Employees of the undertaking may not refuse to hand over documents or to provide information which is of
relevance for the prevention of money laundering or terrorist financing. This is without prejudice to rights to
refuse to provide testimony or information in criminal proceedings.
Tasks of the anti-money laundering officer
The tasks to be performed by the AML officer include, in particular (cf. the ruling of Frankfurt am Main Higher
Regional Court of 10 April 2018, ref. no.: 2 Ss-OWi 1059/17):
The creation and development of a uniform undertaking-specific risk assessment or a coordinated
series of undertaking-specific risk assessments (section 5 of the GwG; see chapter 2.3)
The development and updating of internal principles and procedures for the prevention of money
laundering and terrorist financing, in particular work and organisational instructions and appropriate
business- and customer-related protection systems
The AML officer must be involved in the preparation of other internal organisational and work
instructions for the obliged entity and their ongoing development, insofar as these are relevant in
relation to the fulfilment of regulations on the prevention of money laundering or terrorist financing.
Establishment of clear reporting lines
Implementation of ongoing monitoring in relation to compliance with the above-mentioned
regulations
The AML officer must ensure the appropriateness and effectiveness of the organisational and work
instructions established and of the business and customer-related internal protection systems of the
undertaking (cf. section 6 of the GwG) by means of risk-based monitoring activities, within the scope
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 15 of 84of a structured approach. In principle, all key areas of the obliged entity’s operations must be included
in this monitoring, including the risks for the individual business units. The AML officer will implement
this monitoring by means of his own risk-based audit activities or else through third-party audit
activities. Monitoring activities relate to transactions and business relationships which, on the basis
of the obliged entity’s expertise, may entail money laundering or terrorist financing risks.
These monitoring activities are to be implemented independently of the retrospective audit
obligations of the internal auditors. Unlike the audits performed by the internal auditors, where
necessary the AML officer will perform his monitoring activities in connection with the prevention of
money laundering and terrorist financing during the course of a process, or at least promptly. For the
performance of his duties, the AML officer is moreover entitled to take samples without any
restrictions.
The AML officer must investigate (cf. section 15 (5) no. 1 of the GwG) transactions which are
particularly complex or large by comparison with similar transactions or which are implemented
without any obvious economic or legal purpose (section 15 (3) no. 2 of the GwG; see chapter 7.4.).
Handling of suspected cases
The AML officer must handle suspected cases, review whether the preconditions for a report under
section 43 of the GwG are fulfilled and, where applicable, forward suspicious transaction reports
under section 43 of the GwG to the competent FIU. In this regard, he must also decide on whether
to terminate the business relationship.
Notification of the management and the supervisory body
Insofar as shortcomings are identified in terms of the principles and procedures for the prevention
of money laundering and terrorist financing, the AML officer must determine the measures which are
required in order to eliminate shortcomings relating to existing internal protection systems and notify
the competent member of the management of this.
Insofar as the competent member of the management deviates from the proposals put forward by
the AML officer, this must be documented.
The AML officer must provide the competent member of the management with a regular report, at
least once a year, on his activities, in particular on the undertaking’s risk situation and on the measures
implemented and envisaged for fulfilment of anti-money laundering obligations. He may do so within
the scope of the risk assessment which is required pursuant to section 4 (3) sentence 2 of the GwG
and which has been prepared accordingly. Further ad hoc reports must be produced where required
for a specific reason.
The competent member of the management must also forward these reports to the chairman of the
supervisory body included within the scope of the undertaking’s management (e.g. in case of a stock
corporation, its supervisory board), where applicable. Changes which are made to key assessments
or recommendations of the AML officer on the instruction of the competent member of the
management must be separately documented in the respective report. The chairman of the
supervisory body must also be notified of these changes.
Instruction of relevant employees regarding the obligations for the prevention of money laundering
and terrorist financing and the preparation of a training concept
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 16 of 84This includes support for the operational departments providing this instruction or else instruction
provided by the AML officer and, where applicable, relevant training (internal or external), in particular
in relation to changes in the law, changes in BaFin's administrative practice or other changes in
supervisory requirements and the resulting rules of conduct for employees.
The AML officer is the contact for BaFin, the prosecuting authorities and the FIU
The AML officer may make use of other departments of the undertaking for the fulfilment of his tasks.
For the AML officer’s effective fulfilment of the above tasks, the undertaking must
have sufficiently clear reporting lines,
the respective competences must have been prescribed in its internal principles and procedures and
there must be no avoidable duplications of powers.
Outsourcing
Insofar as the function of the AML officer pursuant to section 6 (7) of the GwG has been outsourced (see
chapter 3.10. for details), the undertaking must have a contact for any issues associated with the outsourced
function of the AML officer and it must be ensured that the competent member of the management can
directly obtain information from this service provider.
The performance of tasks by a foreign parent company or head office likewise constitutes outsourcing.
Exemption
Under section 7 (2) of the GwG, BaFin may grant exemptions from the duty to appoint an AML officer subject
to the preconditions stipulated therein.
Pursuant to section 7 (2) of the GwG, an exemption from the requirement to appoint an AML officer may
exceptionally be granted if it has been ensured that
there is no risk of a loss of information or of insufficient information on account of a separation of
duties in the undertaking’s structure and
other measures are enacted, after a risk-based assessment, to prevent business relationships and
transactions related to money laundering or terrorist financing.
As a derogating provision this exemption will be restrictively handled, irrespective of the option for the obliged
entities to appoint members of the management as AML officers (cf. 3.2, p. 16). As a rule, an exemption will
only be possible for obliged entities whose measures for the prevention of money laundering and terrorist
financing are free from any significant defects and where there is no indication of any significant defects.
According to consistent administrative practice, a risk of a loss of information or of insufficient information
will generally be assumed in case of obliged entities with more than 15 employees, in groups of undertakings
and, in particular, in case of cross-border corporate structures.
Even in case of an exemption, the obliged entity must comply with all of the other anti-money laundering
obligations. A competent contact must be available in case of inquiries from BaFin, the FIU or prosecuting
authorities.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 17 of 84The obliged entity must submit the application for exemption while providing a written statement of grounds.
A charge will apply in case of the rejection of this request and likewise for its approval.
Power to issue orders
In regard to obliged entities under section 2 nos. 4 and 5 of the GwG, pursuant to section 7 (3) of the GwG
BaFin may order the appointment of an AML officer and a deputy if it deems this appropriate.
3.3 Establishment of group-wide procedures, section 9 of the GwG
Obliged entities seated in Germany which are parent undertakings of a group within the meaning of
section 1 (16) of the GwG are obliged to establish group-wide procedures for the prevention of money
laundering and terrorist financing. These procedures are stipulated in further detail in section 9 of the GwG
(see chapter 11).
3.4 Prevention of misuse of new products and technologies
Under section 6 (2) no. 4, obliged entities must implement appropriate measures to prevent the abuse of new
products and technologies for money laundering and terrorist financing purposes or for the purpose of
facilitating the anonymity of business relationships or transactions. A measure will be appropriate where the
purpose thus pursued in connection with the respective risk situation can be fulfilled.
3.5 Review of reliability
Under section 6 (2) no. 5 of the GwG, obliged entities must establish appropriate risk-oriented measures in
order to review the reliability of their employees.
The term “reliability” is defined in section 1 (20) of the GwG.
Employees will be deemed to be reliable from the point of view of anti-money laundering provisions if they
guarantee
to carefully comply with the obligations set out the GwG as well as other anti-money laundering
obligations and strategies, controls and procedures introduced at the obliged entity in order to
prevent money laundering and terrorist financing,
to report facts as specified in section 43 (1) of the GwG to their manager or to the AML officer, if one
has been appointed, and
not to participate, either actively or passively, in dubious transactions or business relationships.
Under section 6 (2) no. 5 of the GwG, no distinction applies between employees authorised to execute cash
or non-cash transactions. The same applies for persons concerned with the initiation and establishment of
business relationships and for employees who perform purely internal management tasks, for instance, insofar
as these may likewise encourage money laundering and terrorist financing.
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 18 of 84A risk-oriented reliability review, from the point of view of intensity and frequency, must be implemented for
all employees who are active in work areas of relevance for money laundering and terrorist financing or who
have direct access to business premises (e.g. security personnel).
However, in selecting the tools to be used for the purpose of this reliability review and in terms of the number
of checks involved the obliged entity has discretionary scope on grounds of proportionality and while
pursuing a risk-based approach.
It may make use of existing personnel assessment systems or specific monitoring systems. Obliged entities
are free to require a “negative certificate”, for instance. The obliged entity is not required to carry out an
investigation without any cause. Measures which would be considered impermissible on labour or data
protection grounds are not appropriate, even within the scope of section 6 (2) no. 5 of the GwG.
The reliability of employees active in fields of relevance for money laundering and terrorist financing must
generally be reviewed as of the establishment of an employment relationship.
The monitoring activities must be determined on a risk-oriented basis, depending on the position and the
field of activity of the new employee. For instance, these may consist of a review of the plausibility of the
applicant’s details, on the basis of the documents provided, the submission of a police certificate of good
conduct or, where applicable, a review of the applicant’s financial situation.
However, the AML officer must be notified in the event that factual indications become known during the
employment relationship which are liable to call into question the reliability of an employee. For example, the
following findings may give rise to indications:
An employee commits relevant criminal offences.
An employee persistently violates anti-money laundering obligations or internal
instructions/guidelines.
An employee fails to report facts within the meaning of section 43 (1) of the GwG.
An employee participates in doubtful transactions or business.
Compulsory enforcement measures are known to have been initiated versus an employee (e.g.
seizure by a bailiff).
An employee ensures that no deputy is available to fill in for him in relation to certain customers.
An employee seeks to avoid taking holiday and to avoid periods of absence.
An employee administers business documents in a quasi-private capacity.
An employee frequently works on his own in the office outside normal work hours.
An employee frequently takes documents home, without a clear reason for doing so.
3.6 Instruction of employees
Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 19 of 84According to section 6 (2) no. 6 of the GwG, in principle the obliged entities must provide all of their employees with initial and ongoing instruction regarding typologies and current methods of money laundering and terrorist financing, relevant anti-money laundering regulations and obligations as well as data protection provisions This instruction may be provided through classroom training or by means of current IT- based training programmes or documents with suitable contents. The data protection officer or suitably trained personnel may provide instruction regarding data protection provisions. The obliged entities may independently decide, on a risk-oriented basis, on the forms of instruction used as well as their nature, scope and timing. As well as the individual risk situation, in particular ad hoc circumstances must be taken into consideration (e.g. new statutory provisions, significant changes to the administrative practice of BaFin, findings regarding new forms of money laundering and terrorist financing, new employees joining the undertaking or the frequency of money laundering-related incidents or increased error ratios in relation to anti-money laundering obligations). The same applies for the form of instruction. Information on typologies and current methods of money laundering and terrorist financing is to be obtained, inter alia, from dialogue with the FIU pursuant to section 28 (1) no. 9 of the GwG, from the annual reports of the FIU as well as the publications of the Financial Action Task Force (FATF) (annual reports, typology documents etc.). The sole possible limit in relation to the obligation to provide instruction applies in relation to employees who perform activities entirely unconnected to the tasks or services typical of the obliged entity’s business (e.g. cleaning staff). 3.7 Review of the above-mentioned principles and procedures An independent audit may be carried out by internal auditors or else by means of other in-house or external audits. In any event, this review must be appropriate in view of the nature and scope of the obliged entity’s business. The independent review which is required according to section 6 (2) no. 7 of the GwG applies in addition to the monitoring obligations of the AML officer and includes the field for which the AML officer is responsible. The internal auditors or the internal/external audit agency must review compliance with all anti-money laundering obligations. As a rule, an annual risk-adequate review of segments will suffice provided that all of these segments undergo a review within a three-year cycle. The reports must assess whether the safeguards enacted by the obliged entity to combat money laundering and terrorist financing are appropriate, workable, up-to-date and effective and that the AML officer has fulfilled the tasks assigned to him. This assessment must be based on a review covering all of the duties listed in the GwG. At the auditor’s discretion, this may be limited to a review of a sample. The samples used must be proportionate to the total number of transactions which are subject to the reviewed anti-money laundering obligation and which have been recorded pursuant to section 8 of the GwG. The ratio of the sample size to the total number of transactions reviewed must be indicated in the audit report (where applicable, approximately). Irrespective of other retention periods, the reports must be kept for a period of five years in accordance with section 8 (4) of the GwG. For the fulfilment of its task, the body carrying out the review must be granted full access to all relevant information, documents and files concerning all of the customers, persons acting on behalf of the contracting Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 20 of 84
party, beneficiaries and beneficial owners and regarding all of the business relationships and the transactions implemented within the scope of these business relationships. 3.8 Whistleblowing, section 6 (5) of the GwG This provision supplements the body to be established for whistleblowers at official level under section 53 of the GwG (or else at BaFin under section 4 (d) of the Act Establishing the Federal Financial Supervisory Authority (Gesetz über die Bundesanstalt für Finanzdienstleistungsaufsicht – FinDAG)), so as to enable the employees of the obliged entities to report violations of anti-money laundering requirements. This provision corresponds to section 25 (a) (1) sentence 6 no. 3 of the KWG and section 23 (6) of the VAG. Obliged entities are thus required to enact measures appropriate to their nature and size to enable their employees and persons in a comparable position to report violations of anti-money laundering provisions to appropriate bodies, while ensuring that their identity remains confidential. The reports under section 6 (5) of the GwG are not suspicious transaction reports within the meaning of section 43 (1) of the GwG. Persons in a comparable position to employees are persons who act on behalf of the obliged entity within the scope of its business activities but who are not employed by the obliged entity (e.g. self-employed or temporary workers). It remains subject to the discretion of the obliged entities which internal body is responsible for the receipt of the relevant reports and how the confidentiality of the identity of the affected employee can be preserved. 3.9 Safeguarding readiness to provide information, section 6 (6) of the GwG This provision is intended to ensure that the obliged entities enact measures so as to provide the competent authorities with information on whether they maintain business relationships with specific persons and, if so, the nature of these business relationships. The fact that this obligation is enshrined in law safeguards cooperation between the obliged entities and the competent authority. The measures referred to in this provision in regard to the nature and size of the obliged entities need not necessarily be IT procedures. The sole key point is that the obliged entities collect, record and retain the relevant information. In case of inquiries, they must be organisationally and logistically capable of providing BaFin without delay with confidential and complete information on whether they have maintained a business relationship with specific persons and the nature of this business relationship. For the procedures used by the obliged entities for the transmission of information, it must be ensured that this information is transmitted securely and confidentially and that unauthorised third parties do not obtain access to the information transmitted. For example, this will be the case where information is transmitted by post. In case of transmission by e-mail, encryption methods must always be used which are consistent with the current state of the art, so as to ensure the confidentiality of these data. These data must be retained for a period of five years, starting from the date of the inquiry. 3.10 Outsourcing of internal safeguards, section 6 (7) of the GwG Interpretation and Application Guidance pursuant to section 51 (8) of the GwG – as of: December 2018 Page 21 of 84
You can also read
